Bad Packets reported that starting in December 2018, a group of cybercriminals hacked home routers, mainly D-Link models, to change DNS server settings and intercept traffic destined for legitimate sites. After that, users were redirected to fake resources.
It is reported that for this, gaps in the firmware are used, which allow you to make imperceptible changes in the behavior of routers. The list of target devices looks like this:
- D-Link DSL-2640B - 14327 hacked devices;
- D-Link DSL-2740R - 379 devices;
- D-Link DSL-2780B - 0 devices;
- D-Link DSL-526B - 7 devices;
- ARG-W4 ADSL - 0 devices;
- DSLink 260E - 7 devices;
- Secutech - 17 devices;
- TOTOLINK - 2265 devices.
That is, only two models resisted the attacks. At the same time, it is noted that three waves of attacks were carried out: in December 2018, at the beginning of February and at the end of March of this year. The hackers reportedly used the following server IP addresses:
- 144.217.191.145;
- 66.70.173.48;
- 195.128.124.131;
- 195.128.126.165.
The principle of operation of such attacks is simple - the DNS settings in the router are changed, after which it redirects the user to a clone site, where it is required to enter a login, password, and other data. They then get to the hackers. All owners of the above models are advised to update the firmware of their routers as soon as possible.
Interestingly, such attacks are now quite rare, they were popular in the early 2000s. Although in recent years they have been used periodically. So, in 2016, a large-scale attack was recorded using ads that infected routers in Brazil.
And in early 2018, there was an attack that redirected users to sites with Android malware.
Source: 3dnews.ru